BluAuth
Sign in

Why do I have multiple accounts?

BluAuth is one identity system that can sit in front of many sign-in methods — a password, your Google account, your Microsoft account, an SSO provider your company uses. Most of the time BluAuth recognizes that these are all "you" and links them into a single account. Occasionally, it doesn't.

How automatic linking works

When you sign in for the first time with a new method, BluAuth looks for an existing account that matches. Two things have to be true for it to link automatically.

  • The provider has to be trusted to confirm your email. BluAuth only auto-links when the upstream provider explicitly proves the email is verified.
  • The email has to land on an identity BluAuth already knows belongs to you. That can be your primary email, or another verified alias already attached to your account.

When both conditions are met, BluAuth adds the new sign-in method to your existing account. You'll see a brief "linked to your existing account" message and you're in.

Why linking sometimes fails

The most common reason is an email mismatch or an unverified upstream email. A few scenarios where this shows up:

  • Your Google account is jane.doe@corp.com but your BluAuth account was originally created with jane@corp.com, and that second address was never added as a verified alias.
  • Your company changed domains (oldcorp.com to newcorp.com) and some of your sign-in methods still use the old one.
  • You signed in once with a personal Gmail before your admin added you to your work tenant.
  • An SSO provider returns your email in a different case or format than BluAuth originally saved.

When the emails don't match, BluAuth can't prove the two are the same person, so it creates a second account rather than guess.

Providers that never auto-link

Some providers are configured so that BluAuth won't link automatically even if the email matches. This is a policy choice your admin makes, usually for security-sensitive tenants. Common cases:

  • Personal Google or Microsoft accounts — auto-linking is often disabled so an attacker can't create a matching personal account and piggyback onto your work identity.
  • Public or low-trust providers — any provider that doesn't verify email ownership to BluAuth's satisfaction.
  • Tenants with strict identity policies — some organizations require a manual merge for every new sign-in method.

In those cases, you'll see a separate BluAuth account for the new sign-in method and you'll need an admin to merge it.

Signs you have duplicate accounts

  • You sign in and don't see your usual data — no history, no saved settings, no team memberships.
  • Colleagues say they've shared things with you that you can't find.
  • You've been asked to accept an invitation twice, or to set up 2FA again on an account that already had it.
  • The sign-in page greets you by name the first time and by email the next.
  • You see an Account claimed by another user error when trying a new sign-in method.

Any one of these can mean duplicates. More than one is a strong sign.

What to do

Don't try to fix this by creating more accounts. Every new sign-in method you try with a different email makes the problem worse. Stop signing in with any method that produces unfamiliar data and reach out.

  1. Note every email address you've used to sign in, and which method each one was paired with (password, Google, Microsoft, etc.).
  2. Note which account "feels right" — the one with your real data in it.
  3. Contact your administrator and share the list.
  4. They can use BluAuth's merge tool to combine the accounts into a single identity.

What the merge looks like from your side

While an admin is merging your accounts, you might see a Merge in progress banner the next time you sign in. During this state:

  • You can still sign in, but some features may be temporarily unavailable.
  • You may be signed out of all active sessions once the merge completes, so you'll sign in fresh.
  • The merge is usually quick — seconds to minutes — but a very large account can take longer.

Once it's done, you'll sign in with whichever method was easiest for you, and everything (data, sessions after the next sign-in, linked providers) will live on a single account.

What happens to your data during a merge

The merge is additive, not destructive.

  • All your data is preserved. Nothing is deleted — the secondary account's data is reassigned to the primary account.
  • Every linked sign-in method is kept. After the merge, you can sign in with any of the methods that were attached to either account.
  • Your roles and permissions follow the primary account. If the two accounts had different roles, your admin decides which to keep.
  • Your 2FA setup stays on the primary account. If 2FA was enabled on both, the primary account's 2FA remains; the secondary account's 2FA is discarded.
  • Audit history is preserved. For compliance, records of the original accounts are kept.

Un-linking a provider

If you want to disconnect one sign-in method from your account — for example, to stop using a personal Google account that got linked to your work identity — that's an admin action, not something you can do yourself. Contact your administrator and tell them:

  • Which provider you want un-linked.
  • Which email address is associated with it.
  • Whether you still want to keep the other sign-in methods.

Un-linking is intentionally restricted because removing a provider can lock you out if it was your only way in. Your admin will make sure you have another working sign-in method before they remove anything.

Identity proofing for high-risk merges

When an admin merges accounts, BluAuth sometimes requires additional verification before it goes through — this is called identity proofing. It kicks in automatically for merges considered higher risk:

  • Merging an account that holds admin privileges.
  • Merging two accounts with very different sign-in histories (different countries, different devices, long gaps in activity).
  • Merging when one account has recently had its password reset or a new provider added.

Proofing typically means you'll be asked to confirm the merge from your current sign-in session, or to complete a one-time verification step your admin sends you. It exists to make sure the admin isn't being tricked into merging your account with an attacker's.

Preventing duplicates in the first place

Whenever possible, use the same email address across every sign-in method. If you know you'll need multiple addresses, ask your admin to add the others as verified aliases before you start mixing providers.

If you must use different addresses, tell your admin at first sign-in so they can link them proactively — it's much easier to prevent duplicates than to clean them up later.

Common questions

Can I merge my own accounts without an admin?

No. Merges are an admin-only action because they're irreversible and because they affect data ownership. Even in tenants where you can do a lot of self-service, merging sits on the admin side.

Will the other person on the other account see anything?

If a merge involves two accounts that were genuinely the same person (you), nothing about the merge is shared with anyone else — only you and your admin see it. If the two accounts belonged to different people (a mistake during signup, a shared address), the admin will work that out before the merge; they won't quietly combine two real people's data.

What if I don't want my accounts merged?

Tell your admin. Keeping duplicate accounts separate is unusual but sometimes justified (for example, a personal test account versus your real account). Your admin can leave them separate and just make sure the one you care about has the right roles and data.

Does account linking have anything to do with how my data is stored?

No. Linking and merging are about which sign-in methods are recognized as belonging to the same person. Your actual data — profile information, team memberships, activity history — is separate. The merge tool moves data between accounts, but the linking rules just govern when a new sign-in lands on an existing account versus a new one.

I see a new account at my admin's end that I don't recognize

Tell your admin. Duplicate accounts sometimes show up because of typos at signup, old invitations that got re-used, or a sign-in method that briefly returned a different email. Admins would rather know about stray accounts than leave them sitting in the system.

What if I intentionally want separate accounts for work and personal use?

That's fine and fairly common — many people keep a work identity and a personal one separate, even within the same tenant. Just be careful that each sign-in method is tied to the right account:

  • Use your work email for work sign-in methods (work Google, work Microsoft, corporate SSO).
  • Use your personal email for personal sign-in methods (personal Google, personal Apple ID).
  • Don't mix the two — that's what creates the "why do I have multiple accounts" confusion in the first place.

Do I get a notification when my account is linked or merged?

Yes. BluAuth sends an email whenever a sign-in method is added to your account, whenever your account is merged with another, and whenever a provider is un-linked. If you see one of these emails and didn't expect it, treat it as a security alert — change your password and contact your admin immediately.

Can I preview what will happen before a merge runs?

Ask your admin to run a dry-run of the merge if they support it. Most admins can show you which account will become the primary, which sign-in methods will remain, and what happens to your roles and data — all before anything actually changes. If something looks off, they can cancel and rework the merge plan.

Related